Most Post-Intrusion Cyber Attacks Involve Everyday Admin Tools

Ninety-nine percent of post-intrusion cyberattack activities leverage standard networking, IT administration and other tools as opposed to malware.

Think hackers use advanced malware and mysterious tools once they have infiltrated a network? According to security startup LightCyber, most attackers use the same mainstream security tools the good guys use, only for lateral movement, network mapping and remote control of endpoints.

Of course, tactics for penetrating the network include tried-and-true techniques such as malware, spear phishing and exploit kits, but once inside, the best way to go unnoticed is to blend in. According to a LightCyber 2016 Cyber Weapons Report, 99 percent of post-intrusion cyberattack activities did not employ malware, but rather admin, networking and remote access tools.

“The most mundane applications, in the wrong hands, can be used for malicious purposes,” according to LightCyber’s report.

Once behind the firewall, attackers use admin software tools such as Angry IP Scanner, Nmap and SecureCRT. Together these three programs represent 28.5 percent of tools employed in post-penetration attacks.

Other tools, such as TeamViewer, WinVNC and Radmin are popular with intruders. “Attackers use them to gain access to new hosts, to move laterally within the internal network, or to remotely control compromised devices from the internet,” according to LightCyber.

Typically, attackers target previously installed versions of software. In the case of TeamViewer, LightCyber reports, attackers have seen the remote desktop software as a particularly soft target given a recent rash of password reuse incidents.

Additionally, attackers take advantage of ordinary end-user programs such as web browsers, file-transfer clients and native system tools for command and control and data exfiltration activity, according to LightCyber’s report. “Web browsers as well as FTP, WinSCP, file sharing apps, and even email, were all associated with data exfiltration,” the report claims.

By hiding in plain sight hackers are able to go months without detection, affording them the option of taking a “low and slow” approach to network infiltration.

“Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware,” said Jason Matlof, executive vice president at LightCyber in the report. He argues malware-focused security infrastructure is insufficient, and that security professionals need to be on the lookout for attacks that “land and expand” using admin and remote access tools allowing hackers to traverse across a network, take over more machines and obtain sensitive data.

The most common hacker objective related to attacks were an attempt to scout out a company’s network, followed by lateral movement and then command-and-control communication.

“By using these tools, attackers can remain undetected for months and quickly regain access even if the malware used to enter the network is identified and removed,” according to the report.

Unlike malware, “riskware programs, such as dual-purpose admin and hacker tools, were detected during the reconnaissance phase, they rarely appeared during the lateral movement and data exfiltration phases,” the report said.

That’s not to say malware is not part of a hacker’s toolkit. The report states that the primary use of malware is still infiltration and exfiltration. “Threat actors primarily use malware as the initial exploit to compromise systems and for outbound communications between infected clients and the Internet,” the report said.

The LightCyber 2016 Cyber Weapons Report gathered data during a six-month period on organizations that ranged in size from 1,000 to 50,000 endpoints, spanning industries such as finance, healthcare, transportation, government, telecommunications and technology.

Suggested articles